Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Agent_r.V, Zlob, framer.z, Vundo, Rogue... [RESOLVED]

Chris_Z

Posted 07 August 2008 - 02:51 PM

Hey, guys, a friend highly recommended you, I hope you can help. Just wish I knew about this service earlier.

I have read and followed: "You Must Read This Before Posting A Hijackthis Log, Malware Cleaning Guide"

Repeated AVG 8 Free scans have logged numerous trojans, loggers, and hijackers. On each instance, after placing them in virus vault, followup scans by AVG, Ad-Aware, SB S&D, SuperAntispyware and others come back clean, only to be folllowed a few days later by another AVG scan showing lots more nasties.

In between scans/cleanings, things ran normally, giving me a false sense of security, then suddenly the poo hits the fan again, with reinfections, periodic system freezes, BSOD's, non-functioning devices like the fingerprint reader and strange resetting of the system clock/calendar, e.g. to 11/24/9999, with sequential event viewer entries like 6/20/80, 12/31/1969, 3/23/2036, etc. On two occasions, viruses were logged in sys vol info\restore. I turned off restore, rebooted, turned it on and created a new restore point.

On one occasion, after going to metacafe in IE6 (my usual browser is Opera) everything was being redirected to porn sites. One time I got a BSOD (kernel_data_inpage_error, stop 0x0000007A) and AVG found Zlob and html/framer.z. A bitdefender online scan wouldn't run. Have run online trojan scans, finding nothing, after AVG scans.

Today AVG found Agent_r.V, but searching AVG online I get "we did not find any virus in the Virus Encyclopedia." A-squared online scan found only process.exe and reboot.exe in smitfraudfix folder, which I understand are normal, non-malware files.

Just now, I created a restore point, ran ERUNT registry backup, ATF Cleaner, ran malwarebytes quick scan which found Trojan.agent in 2 registry keys and in c:\windows\downloaded program files\uninst.bat. Removed, saved log. There are no Windows high priority updates that have not been installed. I have not yet installed SP3.

Hijack This log is below, followed by Mbam log. I will add the uninstall list next post. I await your guidance. If there's anything I've overlooked, let me know. Thanks.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Click onthis linkto see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the text from C:\ComboFix.txt along with a new HijackThis log for further review.

** Note: Do not mouseclick combofix's window while it's running. That may cause it to stall **

Chris_Z

Posted 12 August 2008 - 01:43 PM

Chris_Z

New Member

Topic Starter

Member

9 posts

Thank you Sage5. The requested logs are posted below, but first I want to tell you what occurred when doing the two scans.

I ran combofix, after closing all other apps, it rebooted and on startup Win Patrol alerted to a change in the hosts file, change being that all entries added by spybot s&d were removed, leaving only 127.0.0.1. I rejected the change.

Paste it into Notepad. Right click in the window and select Paste. (or use Ctrl+V)

Save the file to the Desktop, make sure Type is All Files, and name it Fixreg.reg

Double click on the file created and click Yes when asked to merge the information into the Registry

We will re enable WinPatrol when done

Run Malwarebytes' Anti-Malware:

Open the program, click on the Update tab & click on the Check for Updates button.

If an update is found, it will download and install the latest version.

Once the program has loaded, select "Perform Quick Scan", then click Scan.

The scan may take some time to finish,so please be patient.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Save the entire report as C:\mbam.txt

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

Read through the requirements and privacy statement and click on Accept button.

It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.

Chris_Z

Posted 13 August 2008 - 12:45 PM

Thanks, Sage5. I have taken all the recommended actions. Malwareytes scan found nothing, the KAV scan is still running, reporting 2 infected objects at one and a half hours (13%) into the c: drive.

I just wanted to give you a status report. With 590GB on 4 partitions, the scan is going to take quite some time. In fact, sitting here watching it, I notice that it hasn't moved beyond 13% and has been reporting "now scanning oeimport.dll" (in c:\windows\$NtServicePackUninstall$) for about 25 minutes. Perhaps I should restart it. (Note: all I have open is Opera and my biometric reader, but I see now that auto update has alerted me to updates to be installed, since the scan started; maybe it interfered with the KAV scan?)

Anti-Virus:The first line of defence, especially since some will now detect trojans as well.Avira's Antivir PersonalEdition Classic and Grisoft's Avast! Free Edition are among the best freebies.*Please note* You should never install more than one anti-virus program on a PC, as it will cause conflicts.

Firewall:A Firewall is an essential tool in the security of any PC connected to the Internet.Sunbelt Personal Firewall and Comodo are both excellent freeware.

Alternate Browsers:Thankfully, there are now some excellent alternatives to MS Internet Explorer. They offer better security, more stability, and better speed.A couple of good examples are: Firefox and Opera

Other Updates:Vital security patches and updates are available for Microsoft Windows and Internet Explorer at the Windows Update SiteIt is equally important to update the other security software you use, on a regular basis.

"That was immediately followed by a WinPatrol alert of a file type change, from regedit.exe %1 %* to regedit.exe %1. I rejected that change.

"Then got WinPatrol alert to file type change from company name %1 %* to company name %1 /s. Rejected it.

"Now every few minutes, these two WP alerts repeatedly pop up in sequence. Don't know if it's important or not, just wanted to document it--and, I would like to get rid of those WP alerts."

These two alerts are still frequently recurring, and I reject the changes, but I can't see how to stop them. My Winpatrol "plus information" does not address the issue and billbstudios/winpatrol web site gives no other information. Do you have any idea how I could clear up these alerts?

I know you are very busy, and if you have no time to think about this I will understand. I'm just hoping you can give me a suggestion of where to start.

Chris_Z

Posted 17 August 2008 - 06:38 PM

Chris_Z

New Member

Topic Starter

Member

9 posts

Sage5, those WinPatrol alerts, which had been popping up regularly since August 12, mysteriously ceased as of this morning (8/17). I have no explanation for why, but I sincerely regret that I caused you to take your valuable time in addressing the issue for me. I had tried everything, including a contact with WinPatrol's Bill P., who said he had no idea where the file type changes could have come from (they started after the combofix and HJT scans). But he did tell me that even the changed file types would have not made a difference, i.e., I could have safely allowed the change without consequence.

Once again, thank you for your excellent assistance. I will be making a PayPal contribution to this worthy service.

Chris

btw, I'm giving AntiVir a trial, and so far I like it better than AVG. Thanks for the tip!